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Scope of Discussion 


Development of 
S/C inhibit 
tracking for 
GPM during l&T 
at GSFC and at 
the range 



FEDSEQSM. 



Motivation for Creation of the Tool 


1. How and why did this come up on GPM? 

2. Why was developing this process/tool 
important? 



FEDSEQSM. 
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Definition of Terms 


1. Terms 
— Inhibits 
— Controls 

— Critical Software Commands/Controls 
— Fault (Failure) tolerance 
— Design for Minimum Risk 




5 


Definition of Terms 



1. Inhibits An independent and verifiable mechanical and/or electrical device that prevents a hazardous event from 
occurring; the device has direct control and is not the monitor of such a device. NPR 8715.7 A) (Green circles) 

2 . Controls Hardware or software that affects the operation of an inhibit. (Shirley's definition). 'Tan circles) 

3. Critical Software commands -A command that either removes (and/or activates) a safety inhibit or creates a 
hazardous condition. (NPR 8715.3C, App B) (yellow arrows) 

4. Fault (Failure) tolerance The ability to sustain a certain number of failures and still retain capability. (NPR 8705. 2B, NPR 

8715. 3C App B) 

5. Design for Minimum Risk Structural members, pressure vessels, pressurized lines/valves, pyrotechnics, material compatibility, 
some mechanisms, flammability, etc., where fault tolerance design is not practically possible, shall be controlled by design 

/xandards or other established organizations (design using robust design margins and safety factors) 

ASR€ FEDERAL 
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GPM Overview 


1. What does GPM do? 

2. How many instruments are there? 



FEDSEQSM. 
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GPM Overview 



HGAS 


KaPR 


HGAS 


GMI 


KuPR 


KaPR 
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GPM Overview 



Instruments in Action 


GPM Microwave Imager (GMS); 
(10-183 GHz) 

Dual-Frequency 
Percipitation Radar (DPR): 
KuPR: Ku-band (13.6 GHz) 
KaPR: Ku-band (35.5 GHz) 


GPM Overview 


What are the hazards? 




KaPR 


HGAS 


GMI 

KuPR" 
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GPM Overview 


• What are the hazards? 

1 Deployables 

• HGAS -High Gain Antenna System 

• SA Solar arrays 

• GMI Instrument (GPM Microwave Imager) 

2 RF 

• S/C transmitter 

• DPR (Duel Precipitation Radar) 2 Radars at GHZ 13ish 35 ish 

3 Fuel System 

• Propulsion 
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Tool Development Process Steps 


Step 1: Define Step 2: Define l&T Testing 



inhibits and controls 


HGAS Deploy 


t TnSC 




FSW from C&DH 
SC processor 
triggered by LV 
separation switch 


DFU Power 
Source (arm) 


Arming plug 
removed (test 
plug or safety 
cap Installed) 


NEA removed/ 
bypassed 


Safety Support to 
certify all SW 


Step 4: Determine software 


criticality 


Software Control in place 
(and another physical 
inhibit In place) -green 


No Software Control (S/C 


unpowered 



r&SOS© FEDSEQSM. 
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Stepl Define inhibits and controls 


HGAS stowed 



LRM- Launch Restraint Mechanism 
HGAS-High Gain Antenna System 






Stepl Define inhibits and controls 


HGAS Electrical Inhibits 


HGAS Inhibit #1 is shared 
with S/A, autonomous** 



© 


DFU-Deployment Firing Unit 
PSE- Power Supply Electronics 
NEA-Non-Explosive Actuators 
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Stepl Define inhibits and controls 


HGAS Inhibits and Controls 

Po* 

HGAS -High Gain Antenna System 

— Mechanically (3) Deployment hing 

— Electrically it is 2-fault tolerant for 
each hinge 

— Inhibits include: 


HGAS Inhit* #1 is shared 
with S/A, autonomously 
removed by FSW RTS "V 
C sep ♦ 8:56 mine 




-^=4 

■ 







— r 

# 


j" N i w i 

1 

4 

pCB - ] 




atS/C » 


Deploy 1 & 2 cards have the same design 
Additional NEA circuits are controlled from 
Deploy 2 (Inhtott 2 on Deploy 2 controled 
by FPGA1 , Inhibit 3 on Deploy 2 controlled 
by FPGA2) 


PSE Switched Power 
to DFU B (Control 
Power SSPCs ON at 
Launch. Inhibit si 
SSPC OFF at Launch) 





RkumMiII from RTS 


2 to Remove Ml 02 'AR W ■ 




N 


To Solar Array NEAs 1-10, Input A 


|— 

Deploy 1 


Same Circuit Design as r 
DFU A 




Deploy 2 

! 

* Same Chou Demyi a* ri " 
DFU A * 


•ENABLE* FET is not 
independent from 'ARM' FET 
(both removed by FPGA2) 

To Solar Array NEAs 1 1-20, Input A 
To HGA NEAs 4-6, Input A 


*To Solar Array NEAs 1-10, Inppt B 


I To Solar Array NEAs 11-20, Input B 
~*To HGA NEAs 4-6, Input B 


J C4DH S-COMM U S/C 




I HGA NEA 
I Actuators 


)l Redundant HGA 

‘ '' IIC A letn.lA. 


® 


1. FET in Power Systems Electronics 

2. 1 st FET in Deployment Firing Unit 

3. 2 nd FET in Deployment Firing Unit 

4. Power relay switch off 

5. Safety strap/tie 

6. Arming plug removed 

7. NEA's are either removed or by- 
passed 

8. Keepout zone- (Not an inhibits but is 
a control) 



FEDERAL 
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Stepl Define inhibits and controls 






Stepl Define inhibits and controls 



Inhibits 

Inhibit Type 

Inhibit Control 

1 

PSE 

FET 

FSW from C&DH SC processor triggered by LV separation 
switch or ground command (same as SA) 

2 

DFU Power Source 
(arm) 

FET 

Ground Command over 1553 bus to DFU. 

3 

DFU Power Source (fire) 

FET 

Ground Command over 1553 bus to DFU. 

4 

Safety strap 

restraint 

I&T procedure 

5 

Arming plug removed 
(test plug or safety cap 
installed) 

plug 

l&T procedure 

6 

NEA removed/ 
bypassed 

disconnected 

l&T procedure 

7 

S/C off 
Control 

relay 

Battery and GSE power supply 


Keepout zone 
(restricted access) 

barrier 

l&T procedure 


Stepl Define inhibits and controls 

Solar Array stowed 



LR ^ #3 


LRM 


M #4 


M #1 


LRM #5 


LRM- Launch Restraint Mechanism 




Stepl Define inhibits and controls 


Solar Array Electrical Inhibits 


pse 


tmn r 


DFU Control 
Power ts ON at 
Launch \ 


S/C 1553 


i 



m 

r*H r= :' 

V? 


™tbt 

"■ 1 - 





Deploy 1 & 2 cards have ihe same design 
Additional NEA circuits are controlled from 
Deploy 2 (Inhibit 2 on Deploy 2 controlled 
by FPGA1, Inhibit 3 on Deploy 2 controlled 
by FPGA2} 


PSE Switched Power 
to DFU B (Control 
Power SSPCs OM at 
Launch, Inhibit sF# 
SSPC OFF at Launch) 


Same Grcurt Design as in 
DFU A 





kirrmands to PSE to 
now* Inh #1 >! RTS Bor 
Haz GND CMD i 


Commands to Deftoy 2 Carn 
to Close ‘ENABLE’ FET 

Commands to Deptoy 2 Cam 
to Remove Inh $2 {RTS'X 
or Haz GND CMD] 'ARM’ 


r~ 

Commands to Depfoy 1 Care 
to Hem owe *3 fRTS T 

wHaz. GND CMD) TJRF 


FEW 0:55 Delay 

RTS 3 


FSW 1D:'B5 Defay 


RTS 7 




r : 23. Delay 


FSW tQgSDelJy 


ENABLE' FET is not 
independent from L ARM" FET 
(both removed by FPGA2) 


To HGA NEAs 1-3, Input A 


To Solar Array NEAs 1 1-20. Input A 
To HGA NEAs 4-6. Input A 


To HGA NEAs 1-3, Input B 


[_To Solar Array NEAs 11-20, Input B 
^To HGA NEAs 4-6, Input B 


RTS 9 
I 


Input A 


Inputs 


C&CH 3-COMM 
Card 


nt SVC SetiarattDn 

- Stflch 1 or 2 


© 


3 


— 1 or 20 


C&DH MAC Card 


LV Steafawre 2A /V. 




C&DH MAC Card 


LV B iHhm 1A 
— or 1 B 


© 


n 


. 


Safe, 'Arm 
Plug 

Solar Array 
NEA Actuators 
1-10 

Safe. 1 Arm 

Plug 


-\ 


Redundant Solar 
Array NEA 
Actuator Circuits 
from DFU B 


DFU-Deployment Firing Unit 
PSE- Power Supply Electronics 
NEA-Non-Explosive Actuators 
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Stepl Define inhibits and controls 


Solar Array Inhibits and Controls 

DFU 

• Solar array (red is the difference 
with HGAS) 

- Mechanically (5) Deployment 
hinges 

- Electrically it is 2-fault tolerant for 
each hinge 

- Inhibits include: 



|WKA 







EZ 

T1 

• 



rjg i 


| 


r 1 

1 -—nwr^ 




Deploy 1 & 2 card* have the same design 
AtXttonal NEA orcuit* are oonfrotod from 
Deploy 2 (mNM 2 on Deploy 2 controOed " 
by FPGA t , inhOxt 3 on Deploy 2 controlled 
by FPGA2) 


to DFU 8 (Control 
Power SSPC* ON at 
Launch. Inhrtiit el 
SSPC OFF at Launch) 




-ENABLE’ FET la not 
"dependent bom ’ARM" FET 
(both removed by FPGA2) 


To MCA NEA* 1-3. Input A 


To Solar Array NEAs 1 1-20. Input A 
To HGA NEA* 4-«. Input A 


To HGA NEA* 1-3. Input B 


To Solar Array NEA* 1 1-20. Input B 
To HGA NEA* 4-6. Input 8 


Array NEA 
Actuator Circuits 
from DFU B 


1 . 

2 . 

3. 

4. 

5. 

6 . 

7. 

8 . 


FET in Power Systems Electronics 

LRM #3 

1 st FET in Deployment Firing Unit 
2 nd FET in Deployment Firing Unit 
Power relay switch off 
Tether/pin 

Arming plug removed 

NEA's are either removed or by- 
passed 

Keepout zone 






Step 2 Define l&T testing 



Phases at TnSC 


Launch 


FSW from C&DH 
SC processor 
triggered by LV 


DFU Power 
Source (arm) 


DFU Power 
Source (fire) 


Arming plug 
removed (test 
plug or safety 
cap Installed) 


NEA removed/ 
bypassed 


Keepout zon 

(restricted 




Step 2 Define l&T testing 


• Performance Tests 

- CPT Comprehensive 
Performance Test 

- Functional test 

- Aliveness test 

- Alignment test 

- Mass properties 

- Magnetic Survey 

- End-to-End/MOCtest 

- Deployment test and stow 

- Walkout test and stow 



FEDSEQSM. 


• Environmental Testing 

— Thermal Vacuum/Thermal 
Balance 

— EMI tests 

— Vibration tests 

— Acoustics test 

— Shock Separation test 
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Step 2 Define l&T testing 

Deployable circuitry during testing 

Flight 


Arm 


Spacecraft 






NLA 


l 







1 


r" 


t: 





Ob& Fur tdUonal 


NEA Sim 


Spacecraft 


r 


cpf 


1. 


2 . 


I-L 

1 




| 


hd 



3. 



Top figure is the operational 
configuration of the NEA in 
place with 3 inhibits and 
arming plug. Functional test. 

Middle figure is the 
Observatory functional test. 
Power to the box. For 
deployables, arming plug 
removed and NEA simulator 
used so NEA's won't fire. 

Bottom is the CPT test, 
(comprehensive performance 
test). Arming plug in place but 
NEA's electrically disconnected. 
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Step 2 Define l&T testing 


• Performance Tests 

- CPT Comprehensive 
Performance Test 

- Aliveness test 

- Functional test 

- Alignment test 

- Mass properties 

- Magnetic Survey 

- End-to-End/MOC test 

- Deployment test 

- Walkout test 



FEDSEQSM. 


• Environmental testing 

- Thermal 
Vacuum/Thermal 
Balance 

- EMI tests 

- Signal injection (DPR 
specialty test) 

- Vibration tests 

- Acoustics test 

- Shock Separation test 
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Step 2 Define l&T testing - 

Test order on GPM Timeline Tool 


1 Mechanical Integration for 
each subsystem 

2 Deploy HGAS, Gimbal Func. 
Test and stow 

3 HGAS Align 

4 HGAS Walk-out 

5 Pre-inst Mag Survey 

6 CPT and actuator tests 

7 HGAS Walk-out 

8 Mag Survey 

9 CPT (baseline OBS) 

10 HGAS Walk-out 

11 TV, Therm Bal, CPT, Miss 
Sim #1 

12 Aliveness Test 

13 MOC Int #1, CTV, E-T-E, & 
miss sim #2 Tests 

14 HGAS Walk-out 

15 OBS Aliveness & EMI 

16 S/A Deploy 

17 HGAS Walk-out 

18 OBS Functional Test 


19 OBS Aliveness Test 

20 Limited OBS Functional Test 

21 Mass Properties 

22 Vibration & Aliveness Test 

23 Acoustics & Aliveness Test 

24 Shock Separation & 
Aliveness Test 

25 limited Functional Test 

26 Deploy HGAS 

27 E-T-E #2 

28 Solar Array Deploy 

29 HGAS Walk-out 

30 Magnetic Survey 

31 CPT 

32 E-T-E#3 Test, Mission Sim #3 

33 Solar Array Deploy 

34 STA2 LS Dry Run CPT 

35 OBS LS/ PAD Functional Test 

36 Mass Properties #2 


37 Transfer to Launch Site 

38 Alignment test 

39 Aliveness test 

40 Contingency HGAS deploy 
test 

41 Contingency Solar Array 
deploy test 

42 CPT 

43 MOC l/F #2, E-T-E #4, Mis 
Sim#4 Test 

44 Fueling 

45 Encapsulation 

46 Limited Functional Test 

47 Launch 

48 Fairing Separation 

49 Launch Vehicle Separation 


Step 3 Determine Inhibit status During Each 
Test - High Gain Antenna Deploy 


HGAS Deploy 





Step 3 Determine Inhibit status During Each 
Test - Solar Array Deployment 


Solar Array Deploy 


PSEto 

deployment 


DFU Power 
Source (arm) 


DFU Power 
Source 
(fire) 


tether/pin 


Arming plug 
removed (test 
plug or safety 
cap installed) 


NEA removed/ 
bypassed 


Keepout zone 

(restricted 

access) 


l&T Phases at GSFC 


Inhibit Control F unc. 

1 Test 


FSW from C&DH SC 
processor triggered 
by LV separation 
switch or ground 
command 

FSW from C&DH SC 
processor triggered 
by LV separation 
breakwires or ground 
command 


r* 


FSW from C&DH SC 
processor triggered 
by LV separation 
breakwires or ground 
command 


l&T procedure 


l&T procedure 


l&T procedure 


Battery and GSE 
power supply 


barrier l&T procedure |^^A NA NA NA 


No inhibit= red 




Inhibit in 
place=green 


NA NA NA 


NA NA NA 




FEDSEQSM. 
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Step 4 Determine Software Criticality -HGAS 

Deployment 


HGAS Deploy 



No inhibit= red 


Inhibit in 
place=green 




Software Control in place 
(and another physical 
inhibit in place) =green 
with slash 


Software Control is in 
place and Critical (no other 
physical inhibits in place) 
=green with X 

No Software Control (S/C 
unpowered or inhibits 
removed) =grey 



FEDSEQSM. 



30 



Step 4 Determine Software Criticality- Solar 

Array Deployment 


Solar Array Deploy 


l&T Phases at GSFC 


Trans 


l&T Phases at TnSC 


Post Launch 




Inhibit Control Func 

1 Test 


Deploy 
SA, 

Alive 
test, 

SA Mass 
stow Prop 1 


Shock 
Sep & 
Alive 


limited 

Func. 

Test 


Integrate, 

SA, Alive 
test, SA 


PSEto 

deployment 


DFU Power 
Source (arm) 


FSW from C&DH SC 
processor triggered 
by LV separation 
switch or ground 
command 

FSW from C&DH SC 
processor triggered 
by LV separation 
breakwires or ground 
command 


DFU Power 
Source 
(fire) 


FSW from C&DH SC 
processor triggered 
by LV separation 
breakwires or ground 
command 


tether/pin 


l&T procedure na 


Arming plug 
removed (test 
plug or safety 
cap installed) 


l&T procedure na_ 


NEA removed/ 
bypassed 


l&T procedure na_ 


S/C off 


Control 




Battery and GSE 
power supply 


NA 


Keepout zone 

(restricted 

access) 




barrier 

l&T procedure 

NA 


Software safety Assessment 



Software (SW) 
Safety Support 

monitor 

Software (SW) Safety 
Support to certify all 
SW verifications are 
complete 





Software Control in place (and 
another physical inhibit in place) 
=areen with slash 

□ 

Software Control is in place and 
Critical (no other physical inhibits 
in place) =green with X 


No Software Control (S/C 
unpowered or inhibits removed) 
=grey 

□ 


FEDERAL 





Step 4 Determine Software Criticality - GMI 

Deployment 


GMI Deploy 



Software safety Assessment 



Software (SW) Safety 
Support 


Software (SW) 
Safety Support to 
certify all SW 
verifications are 



No inhibit= red 


Inhibit in place=green 


Software Control in place (and 1 
another physical inhibit in 
place) =green with slash 

Software Control is in place and I 
Critical (no other physical 
inhibits in place) =green with X I 

No Software Control (S/C 
unpowered or inhibits removed) ■ 
=grey 



FEDSEQSM. 
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Step 4 Determine Software Criticality - S/C 

Transmitter Activation 


S/C RF Transmitters 


PSE i to 
transmitter 


PSE 2 to 
transmitter 


Transponder 


Hat couplers 


FSW from C&DH SC Ground 

processor over 1 553 bus Command 

triggered by fairing breakwires over 1553 
plus tinner bus 


Inhibit Control 
for Transmitter A 
HGA and Backup 
Inhibit Control for gnd commands 

Transmitter B Omni for t ransmitter b 


FSW from C&DH SC Ground 

processor over 1 553 bus Command 
triggered by fairing breakwires over 1 553 
plus tinner bus 


FPGA from C&DH via 422 Ground 

initiated by FSW triggered by Command 
T-01 orT-02 breakwires plus over 1553 
timer bus 


l&T procedure 


l&T procedure 


Battery and 
GSE power 

Battery and GSE power supply supply 


Keepout 
zone barrier 


l&T procedure 


l&T procedure 


Software safety Assessment 


Software 
(SW) Safety 
Support 


Software (SW) Safety Support Supporing 
to certify all SW verifications Hazard 

are complete Inhibits/Contr 



No inhibit= red 
Inhibit in place=green 




Software Control in place (and 
another physical inhibit in place) 
=green with slash 












































Software Control is in place and 
Critical (no other physical inhibits in 
place) =green with X 












































No Software Control (S/C unpowered 
or inhibits removed) =grey 
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Step 4 Determine Software Criticality - DPR 

Radar Activation 


RF (Ku PR and/or Ka PR) 


DPR internal 
power -On 


SSPA 

transmission 


Test Divider/ 
Combiner 


RF absorber/ 
panel 


RF detection 
shut down 
monitor 


Grnd Ctrl SW from 
C&DH SC 
processor 


Grnd Ctrl SW from 
C&DH SC 
processor 


Grnd Cmds from 
C&DH 


1 28 Separate 
Grnd Cmds from 
instrument 
controller to each 
transmitter line is 
in Stand-By Mode 


isorber |&T procedure 


sorber |&T procedure 


RF detector 
ionitor sensor triggers 
relay EGSE relay 


Battery and GSE 
relay power supply 


DPR GSE off or 
disconnected from 
DPR 


l&T Phases at GSFC 


Software safety Assessment 


Software (SW) 
Safety Support 


Software (SW) 
Safety Support to 
certify all SW 
verifications are 





Software Control In place (and I 
another physical Inhibit in place) I 
=green with slash 


/a j 

M 










Software Control is in place and 
Critical (no other physical inhibits 
in place) =green with X 





















/^A » P 

r ' 









No Software Control (S/C 
unpowered or inhibits removed) 
=grey 

1 




















\>^TIECHNICAL SERv/ICES 
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Step 4 Determine Software Criticality - 
Propulsion Hydrazine Release 


Propulsion Inhibits 






l&T Phases at GSFC 

Trans 

l&T Phases at TnSC 


Inhibits 

Inhibit 

Type 

Inhibit Control 

Func. 

Test 

Mag 

Survey 

CPT 

(baseli 

ne 

OBS) 

TV, 
Therm 
Bal, 
CPT, 
Miss 
Sim #2 

Alive 

Test 

MOC 
Int #1, 
CTV, E- 
T-E, & 

sim #1 
Tests 

OBS 
Alive & 
EMI 

Func. 

Test 

Alive 

Test 

Func. 

Test 

Mass 
Prop 1 

VIBE & 
Alive 

AC & 
Alive 

Shock 
Sep & 
Alive 

limited 

Func. 

Test 

E-T-E 

#2 

Mag 

Survey 

CPT 

E-T- 

E#3 

Test, 

n Sim 
#3 

STA2 
LS Dry 
Run 
CPT 

OBS 

LSI 

PAD 

Functi 

onal 

Mass 
Prop 2 

to 

TNSC 

STA-2 

Align 

STA-2 

Alive 

STA-2 

CPT 

MOC 
l/F #2, 
E-T- 
E#4, 
Mis 
Sim#4 
Test 

Trans 

toSFA 

































1 

PSE PROP I/O 

FET 

Ground command to 
PSE 

NA 

NA 

NA 

NA 

NA 

NA 

NA 

NA 

NA 

NA 

NA 

NA 

NA 

NA 

NA 

NA 

NA 

NA 

NA 

NA 

NA 

NA 

NA 

NA 

NA 

NA 

NA 

NA | 

2 

MACE A power 
source (Latch 
and Thruster) 

FET 

Ground command to 
PSE for MACE A 
PROP I/O FPGA 1 

NA 

NA 

NA 

NA 

NA 

NA 

NA 

NA 

NA 

NA 

NA 

NA 

NA 

NA 

NA 

NA 

NA 

NA 

NA 

NA 

NA 

NA 

NA 

NA 

NA 

NA 

NA 

NA | 

3 

MACE A return 
(Latch and 
Thruster) 

FET 

Ground command to 
PSE for MACE A 
PROP I/O FPGA 2 

NA 

NA 

NA 

NA 

NA 

NA 

NA 

NA 

NA 

NA 

NA 

NA 

NA 

NA 

NA 

NA 

NA 

NA 

NA 

NA 

NA 

NA 

NA 

NA 

NA 

NA 

NA 

NA | 

4 

S/C off 

relay 

Battery and GSE 
power supply 

NA 

NA 

NA 

NA 

NA 

NA 

NA 

NA 

NA 

NA 

NA 

NA 

NA 

NA 

NA 

NA 

NA 

NA 

NA 

NA 

NA 

NA 

NA 

NA 

NA 

NA 

NA 

NA | 


Control 































Keep out zone 
(operators in 
SCAPE) 

barrier 

l&T procedure 

NA 

NA 

NA 

NA 

NA 

NA 

NA 

NA 

NA 

NA 

NA 

NA 

NA 

NA 

NA 

NA 

NA 

NA 

NA 

NA 

NA 

NA 

NA 

NA 

NA 

NA 

NA 

NA | 


Software safety Assessment 






























Software (SW) 
Safety Support 

monitor 

Software (SW) Safety 
Support to certify all 
SW verifications are 
comnleta 

NA 

NA 

NA 

N/A 

NA 

NA 

NA 

NA 

NA 

NA 


NA 

NA 

NA 

NA 


NA 

NA 

NA 

N/A 

NA 

NA 

NA 

N/A 

N/A 

N/A 

N/A 

N/A 



No inhibit= red 


Inhibit in 
place=green 


Software Control in place 
(and another physical inhibitl 
in place) =green with slash 


Software Control is in place 
and Critical (no other 
physical inhibits in place) 
=nrssn with X 


1 

I 


No Software Control (S/C 
unpowered or inhibits 
removed) =grey 



FEDERAL 
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Unique Hazard Report Controls for Software 


Inadvertent Commanding via Ground or Flight Software 

1. Safety critical commands and telemetry database for the C&DH flight software and ground systems 
loaded with configured database (ASIST) operates properly. 

2. Restrict the use of safety critical software that removes deployment inhibits commands to one per 
flight command sequence (script). 

3. NASA software safety will review build test plans and results used to test the loaded flight image to 
ensure full coverage of safety critical functions. 

4. The flight software will require three independent "signals" following independent software and 
hardware paths to remove the three independent safety inhibits. 

5. Monitor health and safety of flight software system. The safety critical functionality is listed below: 

a) Hardware memory scrubbing 

b) Routine which detects faulted tasks (Health and Safety task) 

c) Hardware which detects faulted tasks (Health and Safety task) 

d) Flight processor watchdog timer 

e) Background checksum 

f) Verify initial flight command sequence (i.e. Tables) 

6. Prohibit safety critical commands from the ground system from post encapsulation through planned 
L/V separation. (Flight Rule). 


7. The on board memory will be protected against memory errors by incorporating a memory 
scrubbing routine that will correct single bit errors (via hardware) and report multi bit errors. 

8. The on board flight software will require double checking telemetry values (persistency check) 
before executing on board scripts (capable of removing safety inhibits). 


9. 




If the redundant processor is activated it boots using a certified flight image (flight SW image and 
tables). 

NASA will provide independent analyses of flight code. 



Controls developed by C. Rogers of EFSI 
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- Step 2 Define l&T testing 

- Step 3 Determine inhibit status during each test 

- Step 4 Determine software criticality 

• Unique Hazard Report Controls and Verifications for Software 

• Summary 
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Summary 


1. I&T is complicated and safety inhibit philosophy can 
be different from test to test. 

2. Software criticality depends on testing's use of the 
hardware inhibits. 

3. Tool helped Safety bridge a gap of understanding of 
the l&T testing plans 

• Allowed the safety team to make a more informed decision on 
use of inhibits and a summary of what needed to be in the 
WOA's/procedures. Time savings when reviewing procedures. 

• Provided a communication tool with Systems Engineers and 
Project Management. Was able to point out inconsistencies, 
potentials risks and hazards. 

4. Tool can be used on other missions for the same 
purpose. 
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THANK YOU! 






Japan Aerospace 
ExpEofation Agency 
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Questions? 



THANK YOU 



FEDSEQSM. 


VERY MUCH!! 



